Creating a New Patch Task

A patch task is used to define how and when the target machines will be scanned for missing patches. It can also be used to optionally deploy any patches identified as missing. If you do not create a patch task, then no patch scanning or patch deployment will be performed by agents that are assigned this policy.

You can create multiple patch tasks for one agent policy. Each task can be expanded and collapsed using the chevron () that resides on the task title bar. This enables you to view just the task you are working on at any one time.

While there is no theoretical limit to the number of patch tasks you can create for an agent policy, there is a practical limit.  For example, it may become difficult to track and manage a policy if it contains too many patch tasks. Also, it may be problematic if you enable patch deployment on several different patch tasks. This is because that while scanning is relatively transparent to the user, deploying patches is not, as it often involves a reboot of the user's machine. In addition, you run the risk of multiple deployments occurring on one machine at the same time.

You configure agent patch tasks on the Patch tab. You can edit an existing patch task, or you can create a new task by clicking Add a Patch Task. Be sure to give the task a descriptive name because this is the name the users will see from within the client program.

 

 

Patch Scan Template

You must specify the template to use when an agent performs a patch scan. The patch scan template dictates exactly what will be scanned for and what will be ignored during a scan. The list of templates available for selection will include the two predefined templates (Security Patch Scan and WUScan) plus any custom templates you've already defined. You can also do the following:

  • New: Enables you to create a new patch scan template from scratch.

  • Edit: Enables you to edit an existing, custom patch scan template. The predefined templates cannot be edited. If you edit and save a template that is currently being used by an agent policy, the agents using that policy will be updated the next time they check in with the console.

If you click New or Edit, the Patch Scan Template dialog is displayed. See Creating a New Patch Scan Template for details on configuring the template.

Note: The automatic deployment function and the automatic e-mail function on the patch scan template is not supported by Shavlik Protect Agent. If these functions are enabled they will be ignored.

Deployment Template

You must specify the template to use when an agent performs a patch deployment. The list of templates available for selection will include the predefined deployment templates (Agent Standard, Standard, and Virtual Machine Standard) plus any custom templates you've already defined. You can also do the following:

  • New: Enables you to create a new deployment template from scratch.

  • Edit: Enables you to edit an existing, custom deployment template. The predefined deployment template cannot be edited. If you edit and save a template that is currently being used by an agent policy, the agents using that policy will be updated the next time they check in with the console.

If you click New or Edit, the Deployment Template dialog is displayed. See Creating a Deployment Template for details on configuring the template.

Note: Automatic e-mail notifications, custom actions, and distribution server options that may be specified in the deployment template do not apply to a Shavlik Protect Agent. In addition, the deployment template you use for agents should specify full-file Office patches on the Office tab. Agents do not use the Original Media paths specified in deployment templates, so binary Office patches may fail to install on agents.

Deploy patches

If you want the agent to be able to automatically deploy patches that are identified as missing by the patch scan, enable this check box.

When the agents perform a patch deployment they will deploy only those patches that are:

  1. Scanned for by the patch scan template, and

  2. Reported as missing, and

  3. Defined as approved patches.

The approved patches can be either all patches detected as missing by a scan, or they can be limited to those patches you define in a patch group and/or to those patches deemed critical by the patch vendor. The list of approved patches defined here is bound to this particular patch task. The list will not be used by other patch tasks within the agent policy.

  • All patches detected as missing: Specifies that any patch identified as missing will be eligible for deployment.

  • Patch Group: Only those patches contained in the specified patch group will be deployed by the agent. If a scan detects missing patches not included in this group, those patches will not be deployed.

  • Plus all vendor critical patches: Specifies that in addition to the patches defined in the patch group, the list of patches approved for deployment should also include any patches identified as critical by the patch vendor. This gives you the security of knowing that if your patch group is out of date you will still always be able to deploy any new critical patches.

    To deploy only vendor critical patches, enable this check box and then specify an empty patch group in the
    Patch Group box.

  • New: Enables you to make a new patch group. For more information see Creating and Editing a Patch Group.

  • Edit: Enables you to make modifications to the selected patch group. Be careful here, because any modifications you make will affect any other scan templates that are using the patch group. If you edit and save a patch group that is currently being used by an agent policy, the agents using that policy will be updated the next time they check in with the console.

Note: If you also choose to enable the deployment of service packs (see the Deploy Service Packs option), on an agent machine that is missing both service packs and patches, service packs are deployed first.

Patch Deployment Process

Once the list of approved patches is determined, the patches are downloaded and installed according to their priority. Security patches are downloaded first, followed by all other patch types. The downloads occur in the background using idle bandwidth not being used by other applications. Foreground tasks such as Web browsing are not affected by the patch download process.

Each patch task is allotted a 60 minute window to download the missing patches. (This is part of a two hour total maintenance window that is allocated for downloading missing service packs and patches.) Only those patches that are successfully downloaded during this 60 minute window will be installed by the active patch task. If the patch task cannot finish downloading all missing patches during the 60 minute window, the remaining patches will be identified, downloaded, and installed the next time the patch task is run.

If an agent machine becomes disconnected from the network during a file download, the process will be suspended and will automatically resume where it left off when the network is available again. This technique is called checkpoint/restart and is extremely useful for machines that are frequently disconnected.

Deploy service packs

If you want the agent to be able to automatically deploy service packs that are identified as missing by the patch scan, enable this check box.

When the agents perform a service pack deployment they will deploy only those service packs that are:

  1. Scanned for by the patch scan template, and

  2. Reported as missing, and

  3. Approved for deployment.

The approved service packs can be either all service packs detected as missing by a scan, or they can be limited to those service packs you define in a service pack group. The list of approved service packs defined here is bound to this particular patch task. The list will not be used by other patch tasks within the agent policy.

  • More info: A link to the About Service Pack Groups Help topic that explains how service pack groups are used by the program.

  • All SPs detected as missing: Specifies that any service pack identified as missing will be eligible for deployment.

  • Service Pack Group: Only those service packs contained in the specified service pack group will be deployed by the agent. If a scan detects missing service packs not included in this group, those service packs will not be deployed.

  • Limit deployments (per day): Specifies the maximum number of service packs that can be deployed to a machine in one day. Service packs can take a long time to deploy and almost always require a reboot of the machine, so you typically want to keep this number rather small. If you do not limit the number of service pack deployments in a day you run the risk of overwhelming a machine if it is missing a large number of service packs. If a machine is missing more service packs than the specified limit, the additional service packs will be deployed the next time the patch task is run.

Tip: Note that a "day" in this case is considered to be a calendar date and not a 24 hour period. This means the day is reset at midnight. If you were to schedule the patch task to run on an hourly basis (not recommended), it would allow you to maximize an overnight maintenance window by deploying the maximum number of service packs before midnight and then again immediately after midnight.

  • New: Enables you to make a new service pack group. For more information see Creating and Editing a Service Pack Group.

  • Edit: Enables you to make modifications to the selected service pack group. Be careful here, because any modifications you make will affect any patch task that references the service pack group. Also, if you edit and save a service pack group that is currently being used by an agent policy, the agents using that policy will be updated the next time they check in with the console.

Service Pack Deployment Process

If an agent machine is missing multiple service packs, only one service pack will be installed at a time. The patch task will begin by initiating the download of all missing service packs. Operating system service packs are downloaded at a higher priority, but whichever service pack gets downloaded first is the one that is first installed. After the service pack is successfully installed, the machine is restarted, rescanned, and the process is repeated until all service packs are deployed or until the daily limit is reached [see the Limit deployments (per day) option].

In addition, each patch task is allotted a 60 minute window to complete the download > install > restart > rescan process. (This is part of a two hour total maintenance window that is allocated for downloading missing service packs and patches.) Only those service packs that are successfully downloaded during this 60 minute window will be installed by the active patch task. If the patch task cannot finish downloading all missing service packs during the 60 minute window, the remaining service packs will be identified, downloaded, and installed the next time the patch task is run.

The downloads occur in the background using idle bandwidth not being used by other applications. Foreground tasks such as Web browsing are not affected by the service pack download process.

If an agent machine becomes disconnected from the network during a file download, the process will be suspended and will automatically resume where it left off when the network is available again. This technique is called checkpoint/restart and is extremely useful for machines that are frequently disconnected.

Schedule area

The patch schedule specifies how often the task will run on a target machine. It allows you to regularly run the task at a specific time or using a specified recurrence pattern. A built-in scheduler will be provided for each agent. The scheduler will check for new patch data immediately before starting a scheduled patch task.

The agent scheduler will serialize executions of the same agent engine.  For example, if you define a policy with two patch tasks that both start at 1:00 AM, they will not both start at 1:00; rather, they will be serialized (run back-to-back). If you have a patch task and a threat task both scheduled for 1:00 AM, however, they will both be started at 1:00 AM as they use different agent engines.

Hourly

 

Allows you to schedule the task to be run on an hourly basis.

  • Run every hh hours: You can specify exactly how many hours there should be between scans. Valid values are from 1 - 100 hours.

  • starting at this time: The first scan will begin at the specified time. Subsequent scans will be performed at the interval specified on Run every hh hours.

Daily

 

Indicates that the task will be run on the specified days, at the time of your choosing. For example, using this option a scan could be run every night at midnight, or every Saturday at 9:00 pm, or at 1:00 am the first Sunday of every month , etc.

Randomize scheduled time (minutes)

Staggers the exact time the task will be performed so as not to overtax the console or designated distribution server with simultaneous requests to download patch files, scan engines, etc.

Run on boot if schedule missed

If a scheduled task is missed while a target machine is powered off, this option enables you to force the task to automatically run whenever the machine is restarted. The task will run immediately unless you enable the Delay after boot (minutes) check box, in which case the execution will be delayed by the specified number of minutes.

Save and update Agents

Saves all changes to the policy file and stores it on the console. Also updates any agent machines that are currently assigned this policy as follows:

  • If an agent machine is online and configured to listen for policy updates, the updated policy will be pushed out to that machine immediately.

  • If an agent machine is online but is not configured to listen for policy updates, the updated policy will be pushed out the next time the agent checks in with the console.

  • If an agent machine is not currently online, the updated policy will be pushed out the next time the agent checks in with the console.

The Agent Policy Editor will be closed.

Cancel

Indicates you want to exit the Agent Policy Editor without saving your most recent changes. A "Do you want to save your changes?" prompt will appear that gives you a second chance to save your changes. If you click Yes the policy will be saved and the associated agents updated (the same as Save and Update Agents).  If you click No the Agent Policy Editor will be closed without saving your changes.